☐ Verify that the administrative access to the configuration of the device has appropriate security measures (username, strong password, two step verification)

☐ Verify that the administrative access to the configuration of the device requires strong passwords configuring users if security is very important.

☐ Verify that administrative access is more secure than user access

☐ Verify that the administrative configuration allows for logging, security alerts and alarms. For example logging whenever someone logs in as an administrator; sending an alert any time a security option is changed, etc.

☐ Verify that there is software to monitor security violations and either log them or send alerts or both. For example, in a Bluetooth mesh network, log anytime a non-authenticated device sends a beacon to request provisioning.[1]

Insecure Software / Firmware – Anyone who has access to the device, the device’s network and the device’s update server (OWASP #9 Threat)

☐ Verify that the device has the ability to update remotely. If not, provide a justification to the Director of Development.

☐ Verify that the update file is encrypted at all stages after development

☐ Verify that the device has the ability to authenticate the update and uses it.

☐ Verify that the update server is itself secure.

☐ Verify that keys used to decrypt the file are not stored in plain text on the device or in the cloud

ADVERTISMENT

About Circuit Cellar Staff

Circuit Cellar's editorial team comprises professional engineers, technical editors, and digital media specialists. You can reach the Editorial Department at editorial@circuitcellar.com, @circuitcellar, and facebook.com/circuitcellar

http://circuitcellar.com/article-materials-and-resources/iot-security-checklist/Circuit CellarCircuit Cellar The most recent version of the IoT Checklist can be downloaded in Word format here For your reference, it’s also available here online (HTML format): 1. Identifying Assets ☐ Have you identified all intellectual property that needs to …